Paper wallet

This is the approved revision of this page, as well as being the most recent.

Casascius holding early paper wallets

Paper wallet is a document containing all of the data necessary to generate any number of Bitcoin private keys, forming a wallet of keys. However, people often use the term to mean any way of storing bitcoins offline as a physical document. This second definition also includes paper keys and redeemable codes. A paper key is a single key written on paper that is used multiple times like a wallet (this is strongly discouraged). A redeemable code is a single key intended to be funded and "redeemed" only once: these are commonly used for gifts and as part of physical Bitcoin coins/notes.

Like any other wallet of this type, a paper wallet for storing cryptocurrency contains two access keys: private and public. The first is a blockchain address and is needed to receive funds from other users. The second also allows you to transfer coins to other people. It is the combination of these two keys that makes it possible to make transactions in the blockchain. Having lost the keys, you lose access to your cryptocurrency assets. If this data gets to another person, he will be able to use them to access your funds.

Unlike mobile, desktop and online wallets that store data electronically, a paper wallet is a physical carrier of access keys. You do not place your keys in the network, but print them out on paper and integrate them with your online wallet.

Contents

Paper wallet is a way to store cryptocurrency offline. You print your keys on paper — private and public — and hide them in a safe place. The keys are printed in the form of QR-codes that open access to all your transactions when you scan. It is safe as you, the user, have full control over your wallet — the only thing you need is to secure a piece of paper.

A trusted provider can hide the private key inside a tamper-resistant token, and issue them as a form of bitcoins.
This requires those who accept it as payment to trust that when the provider produced the tokens, they loaded them with the correct amount of bitcoins, and that they have not been tampered with since then.
To redeem the bitcoin value, the token must be destroyed to access the private key.
Often a bitcoin address is embedded on the outside visible, but there is no guarantee (without destroying the token) that this matches the private key inside, or, even if it does, that the private key is not replicated on multiple tokens or saved by the producer.

Proper paper wallets are often a very secure way of storing bitcoins, since they are not typically exposed to malware. They can also be easily stored securely in safes and safe deposit boxes. However, it may be more difficult to securely "backup" paper wallets, and due to the current sub-optimal software support, it may be easier to make a mistake that causes loss of bitcoins.

Sometimes people try to use single keys as true bitcoin wallets. However address reuse is very bad for privacy and security. Because of this, one is forced to choose between hazardous options:

Use the key only once to receive, and only once to send the full amount. This requires the user to know the full amount he wants to store in advance, and often leads to the next situation:

Create multiple keys. By using more than one key, the user can receive more than once using a different address each time, including using new addresses for change. This is very complicated, and makes it easy to accidentally reuse addresses, produce the wrong change/fee combination, lose some keys, spend hours searching for the right key, etc. Not even skilled bitcoin experts are comfortable managing their own keys manually like this.

Therefore, it is highly recommended that you use proper paper wallets which allow you to generate an infinite number of addresses from a single seed.

Proper, multi-key paper wallets usually take the form of a multi-word HD wallet seed mnemonic. The list of several words corresponds to some binary data that is used to generate all of the addresses. Words are used to make it easier to avoid and correct errors. Trying to memorize an entire seed mnemonic is very difficult and is generally not recommended.

A single key (for use in insecure single-key paper wallets or redeemable codes) can be represented in several formats, but typically the Wallet Import Format (WIF) is used, since keys represented that way are very short (51 characters) and thus easy to re-enter when importing or "sweeping" it for withdrawal.

The private seed is used to prove your right to spend the bitcoins transferred to the paper wallet, and as such should be kept hidden and secret.
If the private seed on a paper wallet is exposed (for example in a photograph) then the wallet may be used by anyone who sees it.
To guard against accidental revelation, the private key displayed on the paper wallet may be encrypted or split into several different parts (for example using Shamir's secret sharing scheme).
At the very least, the private key should be well hidden e.g. by folding the wallet in half and sealing it shut.

Currently, at least Armory and Electrum support generating mnemonic codes for their wallets, which can be written down or printed to make a multi-key paper wallet.

Some websites feature free open-source client-side keypair/wallet generators written in JavaScript.
Keypairs/wallets generated by JavaScript or using websites are inherently weak and insecure, and unless the code of the website is audited every time it is used, it may leak the generated keys back to the server—especially if un-audited Javascript is downloaded and run locally.
Even with careful code auditing, browser plugins or other websites may compromise the environment.

It is important that only those you trust with your money have access to your private key.

Think about what will happen if there is a fire, flood, theft. Ideal, if you have sole access to a quality safe and you can self-etch metal.

It is better to have multiple copies in different places, but each of these places should be safe.

Disconnecting from the Internet guarantees that that the paper wallet generator is truly self-contained and isn't transmitting your keys online.

Verifying the integrity of the code (and the trustworthiness of the author) is important to make sure a hacker hasn't modified the download so that it generates predictable seeds instead of truly random ones.

A web-based generator should not be used.

A generator should use an appropriate source of random numbers (entropy). This means that the generated keys aren't predictable. If the addresses come from a predictable or partially-predictable patterns like pseudorandom numbers [1], someone else who can predict the pattern can steal the balance. Randomness should NEVER be human generated, as the human brain is incapable of secure entropy.

Remember that unlike wallets (paper or otherwise), a single paper key is only good to receive a single payment, and must be redeemed in its entirety.

Some advanced printers have internal storage (even hard drives) that preserve copies of printouts. This is a risk if someone gets access to your printer, or if you dispose of your printer. There is also the possibility that a smart enough printer can be hacked. (Consider StuxNet which was able to rewrite the firmware of non-computer devices indirectly connected to the Internet) If this concerns you, use a "dumb" printer, and never let your printer have access to the Internet or to an Internet-connected computer[2].

An alternative using a printer for paper wallets is to write the private key and address with your own hand. Base58Check encoding used for Bitcoin addresses and private keys specifically excludes characters that look similar like 0OIl. The mnemonic recovery seeds used by wallets like Armory and Electrum are also suitable to be written by hand.

Paper keys, when used as wallets, are very different from wallets such as Bitcoin Core in that there is only one address in a paper key rather than a hundred or more online keys that are managed with full software assistance from Bitcoin Core.

There are various methods for copying the private key data to other wallets.

bitcoind supports an "importprivkey" RPC method for this purpose.

Bitcoin-Qt's debug console can also be used in a similar way (see also How to import private keys in Bitcoin Core 0.7+).

[MyСelium] is a Android mobile wallet with an easy to use "cold storage" spending function. It is also available via Android and iTunes playstore. The iTunes version may not yet support cold storage spending.

Note that importing a private key that may be compromised can result in the entire wallet becoming insecure. For this reason, sweeping (or sending the entire amount to a fresh address) is generally recommended over plain importing.

Because paper wallets only record the private key and address, wallet software which redeems the bitcoins must somehow learn about the balance of the wallet before being able to spend it. The solution with the best privacy properties is to import the private key into bitcoin-qt and rescanning. Nobody watching the bitcoin-qt full node from outside will be able to tell which address it's interested in because all the scanning happens locally on disk[3].

Unfortunately rescanning is quite slow, so most users are pushed towards using public blockchain explorers or Electrum servers. These centralized services can spy on the user and learn exactly how many bitcoins they have and when/where they spend them. An address database created from all bitcoin addresses is nearly 1 terrabyte in size at of April 2017 and takes a long time to build up, so very few people will have this kind of thing locally for the few occasions when they redeem paper wallets. Almost all wallet software today especially smartphone wallets relies on centralized lookups when redeeming paper wallets.

This is another reason paper wallets are not recommended, the way that they function pushes people to ruin their own privacy.

Generating paper wallets is not recommended from an online PC. Malware malware on the PC may be able to steal your paper wallet keys. Even if you generate paper wallets securely, they are still vulnerable to loss and theft.

Unencrypted paper wallets must be kept safe like jewels or cash. For additional security paper wallets can be split into shares, requiring X of Y shares (e.g., 3 out of 5) to reassemble the secret key.

The Personal key is the most important information about the wallet, it must be protected at all costs. If you lose it, you lose money, and nothing can be done about it. So it is better to keep several copies in several places. Think about what would happen if there was a hurricane, a sudden evacuation or something like that. On the other hand, the more copies, the greater the risk that someone will recognize the key. Under lock and key, Many people prefer to store the keys in paper form. In this case, it is logical to hide them in the safe, but remember that home safes are usually not too reliable, and the thief will look for such a safe in the first place. On the other hand, if you do not have individual access to a safe Deposit box, you will have to use the home.

It is hoped that in the future you will be able to keep the keys in a secure distributed cloud storage. However, putting them there in the open, probably not the best idea, but you can pre-encrypt them.

Of course, while using a paper wallet reduces the risks associated with the Internet, other risks remain:

Coercion. There are always people willing to do anything for the sake of enrichment, and of course, you can politely ask to open the safe. Morality? Do not brag about investments in cryptocurrency, either on the Internet or in person — why give criminals an excuse?

Fragility. Paper is just paper, it is easy to tear or abrasion. It is better to make some copies.

Theft. Again, since it's paper, an attacker can read it or take a picture — and all he has access to is your money.

Natural disaster. A sheet of paper can burn or get into the water — it is better to have backups.

A bad printer. For example, if you print the wallet on an inkjet printer, the paint can leak if it gets into the water. Laser printer is better.